This dashboard provides operational load and core insights that the operations team will want to see to track the operational load of the service, use for capacity planning, and use to assess the health of the service and instances at a glance. You can click on any of the widgets in the dashboard to drill down into the data that is being visualized. Further, you can make a copy of the widget and customize many aspects including how the data is visualized, expand or contract the scope of the data, and look at the underlying raw log data of any widget.
The second dashboard is the OUD Log Analytics dashboard. This is a composition of a wide variety of best practice analytical insights about the OUD instance's operational load. Examples include:
- Operation and log volume for the specified time span
- Protocol distribution and cryptography
- Top users
- Top client IP addresses
- Operation distribution
- LDAP status code distribution
- eTime outliers and volume
- Un-indexed searches
- Error trends
Note that you can drill down into any widget to get more detail or adjust the view to get deeper insights into the data that you are viewing all the way down to viewing the raw log entries.
The fourth dashboard is the OUD diagnostics dashboard. This dashboard is most commonly used to streamline the process of getting to root cause of potential and active issues.
The "OUD Issues over the last 48 hours" widget of the OUD Diagnostics dashboard can enable the operations team to identify and remediate issues before they impact end customers of the directory service.
4. Enable Logging Analytics and setup requisite Identity & Access Management (IAM) policy by navigating to the Logging Analytics Overview page (https://cloud.oracle.com/loganalytics/overview) and click on "Start Using Logging Analytics". This workflow will Enable the Logging Analytics service, ad the requisite IAM policy in the root compartment and create a new log group named Default.
Navigate to OCI Console --> Management Agents --> Downloads and Keys
5. Deploy Management Agent to each OUD Host using the following steps
5a. Create an Agent key
Navigate to OCI Console --> Management Agents --> Downloads and Keys --> Create Key
Enter Key name MonitorOUD, select compartment ocioperations, check "Unlimited", and click "Create".
5b. Download Agent key to a local file named MonitorOUD.rsp
Navigate to OCI Console --> Management Agents --> Downloads and Keys
Right click three dots to far right side of MonitorOUD Key and click on "Download key to file".
5c. Edit downloaded agent key file MonitorOUD.rsp and uncomment the following two lines and save the file:
Service.plugin.logan.download=true
Service.plugin.appmgmt.download=true
5d. Download Management Agent
Click on "Agent for LINUX (X86_64)" ZIP file
5e. Download the latest release of JDK 8 from https://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
5f. Setup target directory structure on target LINUX host and add OUD runtime user's group to the management agent user so that the management agent will have permissions to consume the OUD log data.
$ sudo mkdir -p /opt/ods/exporter/sw
$ sudo chown -R mgmt_agent:mgmt_agent /opt/ods/exporter
$ sudo usermod -a -G <oud_users_group> mgmt_agent
Note that if you have restricted the default OUD log permissions to only be accessible by the OUD runtime user, you can use setfacl to grant read permission to the management agent user:
$ sudo setfacl -Rd -m "u:<management_agent_user>:r" "<OUD_logs_dir>"
5g. Upload the JDK8, the management agent zip file and the management response file (MonitorOUD.rsp) to each target OUD host and put in /opt/ods/exporter/sw
5h. Extract the JDK and management agent software
$ cd /opt/ods/exporter/sw
$ tar -xf jdk-8u421-linux-x64.tar.gz$ mv jdk1.8.0_421 jdk
$ unzip -qod mgmt_agent oracle.mgmt_agent.240724.1411.Linux-x86_64.zip
5i. Install management agent
$ cd /opt/ods/exporter/sw/mgmt_agent
$ sudo JAVA_HOME=/opt/ods/exporter/sw/jdk /opt/ods/exporter/sw/mgmt_agent/installer.sh /opt/ods/exporter/sw/MonitorOUD.rsp
Navigate to O&M Logging Analytics Administration page--> Menu --> Observability & Management --> Logging Analytics --> Administration
Click on "Create Entry", fill out the form and click "Create Entry"
7a. Navigate to O&M Logging Analytics Administration page--> Menu --> Observability & Management --> Logging Analytics --> Administration7b. Click on one of the OUD entries
7c. Click on "Add association" or "Add Data"
7d. Select all of the OUD entities and then click "Next"
7e. Click on the "Search by Name or Description" box and enter "Oracle Unified Directory" and then check the OUD Access, Admin, and Error logs and then click "Validate and configure log collection"
7f. Wait for the validation process to complete. Depending on the number of OUD entities to configure, it may take a few minutes.
At this point, basic Logging Analytics configuration for the OUD entities is complete. Next, navigate to the Logging Analytics Dashboards and click on each of the OUD dashboards to view the data. It may take a few minutes before data from all OUD instances shows up.
Navigate to O&M Logging Analytics Dashboards page
- OUD Health (LA) - Basic health for operations team, management and capacity planning
- OUD Security - Security view of the same data
- OUD Log Analytics - Best practice analytics for identifying outliers and
- OUD Diagnostics - Dig deeper into the data to streamline root cause analysis
OCI IAM Policy Groups for Observability & Management:
- OCI IAM Management Agent Policy (omagent_policy) - Setup Mgmt Agent and collect metrics
- OCI IAM Log Purge Policy (ompurge_policy) - Enable setting and executing O&M Storage Purge Policy
- OCI IAM O&M Administrator Policy(omadmin_policy/omfedadmin_policy) - Load and edit log parsers/sources and manage dashboards
- OCI IAM O&M User Policy (omuser_policy/omfeduser_policy) - Enable users to view O&M Dashboards, Log Explorer, and Metrics Explorer
OCI IAM Policy Setup Workflow For O&M Admins and Users
- Create OCI IAM Static Groups and add users to group
Instructions for local OCI IAM users/groups:
Create and populate O&M group for local OCI IAM users
Navigate to: OCI Console —> Identity & Security —> Groups —> Create Group
Name: omadmin
Description: O&M Local Administrators
—> Add local relevant OCI IAM users to this group
Name: omuser
Description: O&M Local Users
—> Add local relevant OCI IAM users to this group
Instructions for federated OCI IAM users/groups:
Create and populate O&M group for federated OCI IAM users
Navigate to: OCI Console —> Identity & Security —> Federation —> Federated Name
—> Oracle Identity Cloud Service Console —> Groups —> Create Group
Name: omfedadmin
Description: O&M Federated Administrators
—> Add local relevant OCI IAM users to this group
Name: omfeduser
Description: O&M Federated Users
—> Add local relevant OCI IAM users to this group
- Create an OCI IAM Dynamic Groups
Navigate to: OCI Console —> Identity —> Dynamic Groups —> Create Dynamic Group
Observability & Management Management Agent Dynamic Group
Name: omagent
Matching Rule Policy: Instances that meet the criteria defined by any of the following matching rules:
Matching Rule:
ALL {resource.type='managementagent',resource.compartment.id='<compute_compartment1_ocid>'}
ALL {resource.type='managementagent',resource.compartment.id='<compute_compartment2_ocid>'}
Where compartment_ocid is the compartment containing the compute instances.
Observability & Management Log Purge Dynamic Group
Name: ompurge
Matching Rule Policy: Instances that meet the criteria defined by any of the following matching rules:
Matching Rule:
ALL {resource.type='loganalyticsscheduledtask', resource.compartment.id='<compartment_ocid>'}
or, alternatively, to allow purges on all compartments
ALL {resource.type='loganalyticsscheduledtask'}
- Create OCI IAM policies for Observability Management
Navigate to: OCI Console —> Identity —> Policies —> Create Policy
Observability & Management Management Agent Policy
Name: omagent_policy
Doc References:
- https://docs.oracle.com/en-us/iaas/management-agents/doc/perform-prerequisites-deploying-management-agents.html
Statements:
ALLOW DYNAMIC-GROUP omagent to {LOG_ANALYTICS_LOG_GROUP_UPLOAD_LOGS} IN COMPARTMENT ID <om_compartment_ocid>
ALLOW DYNAMIC-GROUP omagent TO MANAGE management-agents IN COMPARTMENT ID <compute_compartment_ocid>
ALLOW DYNAMIC-GROUP omagent TO USE METRICS IN COMPARTMENT ID <om_compartment_ocid>
ALLOW DYNAMIC-GROUP omagent TO MANAGE management-agent-install-keys IN COMPARTMENT ID <compute_compartment_ocid>
ALLOW DYNAMIC-GROUP omagent TO USE loganalytics-log-group in COMPARTMENT ID <om_compartment_ocid>
ALLOW DYNAMIC-GROUP omagent TO USE loganalytics-collection-warning in COMPARTMENT ID <om_compartment_ocid>
Observability & Management Management Storage Purge Policy
Name: ompurge_policy
Doc References:
- https://docs.oracle.com/en-us/iaas/logging-analytics/doc/manage-storage.html#GUID-DEAA0C68-9FB9-4441-9DCE-AEF6A358B6D5
Statements:
ALLOW DYNAMIC-GROUP ompurge to read compartments in tenancy
ALLOW DYNAMIC-GROUP ompurge to {LOG_ANALYTICS_STORAGE_PURGE} in tenancy
ALLOW DYNAMIC-GROUP ompurge to {LOG_ANALYTICS_STORAGE_WORK_REQUEST_CREATE} in tenancy
ALLOW DYNAMIC-GROUP ompurge to {LOG_ANALYTICS_LOG_GROUP_DELETE_LOGS} in tenancy
ALLOW DYNAMIC-GROUP ompurge to {LOG_ANALYTICS_QUERY_VIEW} in tenancy
ALLOW DYNAMIC-GROUP ompurge to {LOG_ANALYTICS_QUERYJOB_WORK_REQUEST_READ} in tenancy
ALLOW GROUP omadmin to MANAGE loganalytics-features-family in tenancy
ALLOW GROUP omadmin to MANAGE loganalytics-resources-family in tenancy
allow service loganalytics to READ loganalytics-features-family in tenancy
Observability & Management Admin Policy for local OCI IAM users
Name: omadmin_policy
Doc References:
- https://docs.oracle.com/en-us/iaas/Content/doc/get-started-management-dashboard.html
- https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/managementdashboardpolicyreference.htm
- https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/monitoringpolicyreference.htm
Note: Make sure that the log filter of dashboards and Log Explorer for compartment matches the compartment specified.
Statements:
ALLOW GROUP omadmin to USE compartments in tenancy
ALLOW GROUP omadmin to MANAGE loganalytics-features-family in tenancy
ALLOW GROUP omadmin to MANAGE loganalytics-resources-family in tenancy
ALLOW GROUP omadmin to MANAGE management-dashboard-family in compartment ocioperations
ALLOW GROUP omadmin to MANAGE management-saved-search in compartment ocioperations
ALLOW GROUP omadmin to READ metrics in compartment ocioperations
ALLOW GROUP omadmin to MANAGE loganalytics-resources-family in compartment ocioperations
Observability & Management User Policy for local OCI IAM users
Name: omuser_policy
Doc References:
- https://docs.oracle.com/en-us/iaas/Content/doc/get-started-management-dashboard.html
- https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/managementdashboardpolicyreference.htm
- https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/monitoringpolicyreference.htm
Note: Make sure that the log filter of dashboards and Log Explorer for compartment matches the compartment specified.
Statements:
ALLOW GROUP omuser to USE compartments in tenancy
ALLOW GROUP omuser to READ loganalytics-features-family in tenancy
ALLOW GROUP omuser to READ management-dashboard-family in compartment ocioperations
ALLOW GROUP omuser to READ management-saved-search in compartment ocioperations
ALLOW GROUP omuser to READ metrics in compartment ocioperations
ALLOW GROUP omuser to READ loganalytics-resources-family in compartment ocioperations
Observability & Management Admin Policy for federated OCI IAM users
Name: omfedadmin_policy
Doc References:
- https://docs.oracle.com/en-us/iaas/Content/doc/get-started-management-dashboard.html
- https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/managementdashboardpolicyreference.htm
- https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/monitoringpolicyreference.htm
Note: Make sure that the log filter of dashboards and Log Explorer for compartment matches the compartment specified.
Statements:
ALLOW GROUP omfedadmin to USE compartments in tenancy
ALLOW GROUP omfedadmin to MANAGE loganalytics-features-family in tenancy
ALLOW GROUP omfedadmin to MANAGE loganalytics-resources-family in tenancy
ALLOW GROUP omfedadmin to MANAGE management-dashboard-family in compartment ocioperations
ALLOW GROUP omfedadmin to MANAGE management-saved-search in compartment ocioperations
ALLOW GROUP omfedadmin to READ metrics in compartment ocioperations
ALLOW GROUP omfedadmin to MANAGE loganalytics-resources-family in compartment ocioperations
Observability & Management User Policy for federated OCI IAM users
Name: omfeduser_policy
Doc References:
- https://docs.oracle.com/en-us/iaas/Content/doc/get-started-management-dashboard.html
- https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/managementdashboardpolicyreference.htm
- https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/monitoringpolicyreference.htm
Note: Make sure that the log filter of dashboards and Log Explorer for compartment matches the compartment specified.
Statements:
ALLOW GROUP omfeduser to USE compartments in tenancy
ALLOW GROUP omfeduser to READ loganalytics-features-family in tenancy
ALLOW GROUP omfeduser to READ management-dashboard-family in compartment ocioperations
ALLOW GROUP omfeduser to READ management-saved-search in compartment ocioperations
ALLOW GROUP omfeduser to READ metrics in compartment ocioperations
ALLOW GROUP omfeduser to READ loganalytics-resources-family in compartment ocioperations